EXCLUSIVE: Privacy commissioner suspends consultation following Equifax data breach, say lawyers

The Canadian government’s privacy watchdog is quietly winding down a consultation that was announced in April following the Equifax data breach, say lawyers.

EXCLUSIVE: Privacy commissioner suspends consultation following Equifax data breach, say lawyers
David Fraser, a privacy lawyer at McInnes Cooper in Halifax, says his take on a consultation by the Office of the Privacy Commissioner of Canada in the wake of an investigation into the Equifax data breach was that it was 'ill-conceived from the get-go.'

The Canadian government’s privacy watchdog is quietly winding down a consultation that was announced in April following the Equifax data breach, say lawyers.

Lawyers say Privacy Commissioner of Canada Daniel Therrien told lawyers and chief privacy officers that it would suspend its consultation on transborder dataflows, which was announced on April 9 after an investigation into Equifax and Equifax Canada Co.’s compliance with PIPEDA. 

The suspension of the consultation was announced verbally in Toronto at the IAPP Canada Privacy Symposium 2019, says David Elder, chair of the communications and privacy and data protection groups at Stikeman Elliott LLP in Ottawa.

The Equifax personal data breach made headlines worldwide after Equifax announced it on September 7, 2017.

It impacted 143 million individuals worldwide, including 19,000 Canadians “almost all of whom had their social insurance number, along with other accompanying identifiers, compromised,” said the Office of the Privacy Commissioner of Canada on April 9.

“An investigation into a global data breach has found that both Equifax Canada and its US-based parent company fell far short of their privacy obligations to Canadians,” said a news release from the OPC.

“Privacy concerns included poor security safeguards; retaining information too long; inadequate consent procedures; a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach.”

The OPC pledged, as a result, a formal consultation would be done on “soliciting feedback and updating its guidance on cross-border transfers of personal information.”

“We believe individuals would generally expect to know whether and where their personal information may be transferred or otherwise disclosed to an organization outside Canada,” said the OPC. The news caused widespread dismay, say lawyers.

David Fraser, a privacy lawyer at McInnes Cooper in Halifax, says his take was that “this consultation was ill-conceived from the get-go.”

Fraser says the immediate reaction to the news was “overwhelmingly negative, even bringing into question [Therrien’s] respect for the rule of law and parliamentary supremacy.”

“I think he was looking for a way to walk this back,” he says.
“And I think the digital charter announcement and proposals for privacy law reform contained in that, gave him cover to do that.”

In 2009, the OPC had said that a “transfer” is not to be confused with a “disclosure” of personal information, because a transfer of information “can only be used for the purposes for which the information was originally collected.”

The OPC’s Equifax investigation reversed that, and said that “transfers for processing from Equifax Canada to Equifax Inc. constitute disclosures of personal information under the meaning of PIPEDA.”

“Our change in position is based ultimately on our obligation to ensure that our policies reflect a correct interpretation of the current law. During the Equifax investigation, it became apparent that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a ‘disclosure’ is debatable and likely not correct as a matter of law,” the OPC said in April.

Fraser says he was not present at the meetings in Toronto last week where the suspension of the consultation was announced, but says the privacy bar was abuzz with the news.

“It came out of nowhere and it wasn’t just a consultation because in fact it was begun by them saying, ‘We are completing re-writing our approach to cross-border data flows and all outsourcing, to a 180 degree turn away from the guidance that my predecessor [former Privacy Commissioner of Canada Jennifer Stoddart] gave in 2009. . .and we’re completely reinterpreting our statutes in a way that the statute won’t bear, but please give us your comments.”

Elder says that the privacy commissioner’s findings in the initial investigation of the Equifax breach would have made Canada an outlier in terms of privacy law, particularly on the distinction between uses and disclosures of data when outsourcing, and the consent needed to transfer personal information.

Now, if the consultation is cancelled without addressing the OPC’s findings, the business community might find the law “unworkable,” says Elder.

He says that lawyers are confused on whether to advise their clients to stop working on submissions for the consultation.

“There is a considerable amount of uncertainty. In oral remarks made on a couple of occasions at the IAPP conference last week, the commissioner indicated he was suspending the announced consultation. The part that wasn’t clear is, ‘What does suspending mean? Will it be revived, and if so when, and what does it cover?” says Elder.

The abrupt suspension of the consultation comes as the OPC digests the Canadian Digital Charter announced May 21, says Elder.

As recently as May 15, the OPC said it was extending deadlines for comments about the consultation until Friday, June 28, 2019 and that given the consultation period, the office did “not expect organizations to change their practices at this time.”

The Office of the Privacy Commissioner still says on its website that it is planning to update its Guidelines for Processing Personal Data Across Borders based on the now-defunct consultation.

“The mere fact that they said verbally that parties don’t have to submit responses to the consultation doesn’t change the fact that in two different official documents, the privacy commissioner is on record as saying ‘this is a disclosure not a use,’ and that consent is required for essentially all outsourcing of personal information,” says Elder. “This is part of what businesses are now grappling with.”

Lisa Lifshitz, a partner at Torkin Manes LLP Barristers & Solicitors, says she attended a meeting before the conference where the suspension of the consultation was also discussed.  

Lifshitz says that even if the suspension of the OPC consultation is a result of additional consultations around the new Digital Charter, people are still looking for clarity from the regulator. She noted that there are a number of issues beyond transborder consent that were raised by the Equifax breach.

"We had understood — those of us that attended that initial meeting — that the privacy commissioner’s website would be updated to reflect this new development, and I’m a little surprised it has not occurred up to this point because in my mind that’s problematic. We shouldn’t be privy to information that others in the country aren't,'" she says.

Adam Kardash, the chair of Osler, Hoskin & Harcourt LLP’s national privacy and data management practice and co-lead of AccessPrivacy, says there was almost unanimous disagreement with the OPC’s legal position.

“The issues raised by the consultation have significant broad-based policy implications with highly adverse practical implications for organizations all sectors,” he says. “[T]he discussion is best suited as part of the statutory reform discussions regarding the amendment to PIPEDA, which were just recently announced by the federal government with its announcement of the Digital Charter.”

The consultation had caused widespread concern, he says.

“The commencement of the trans-border data flow consultation….it was like a metaphorical bomb in the privacy arena,” says Kardash.

A spokeswoman for the Office of the Privacy Commissioner confirmed to Law Times Friday afternoon that the federal government "made an announcement last week with respect to a Digital Charter and review of PIPEDA."

"The government's discussion paper suggests that transborder data flows may be dealt with in an eventual new law," she said, in an email statement.

"The Commissioner has announced that we are pausing our own consultation. In light of the government's announcement and the feedback we are receiving from stakeholders, we need to consider the best way forward. It is clear that consideration needs to be given to both the short term (how to address transborder data flow issues under the existing law) and the long term (how a future law should address transborder data flows in a way that best protects Canadians)."

- with files by Gabrielle Giroday